diff --git a/src/per_curve/decaf.tmpl.c b/src/per_curve/decaf.tmpl.c index 39ff384..9920122 100644 --- a/src/per_curve/decaf.tmpl.c +++ b/src/per_curve/decaf.tmpl.c @@ -35,7 +35,7 @@ static const scalar_t point_scalarmul_adjustment = {{{ $(ser((2**(combs.n*combs.t*combs.s) - 1) % q,64,"SC_LIMB")) }}}; -const uint8_t API_NS(x_base_point)[X_SER_BYTES] = { $(ser(mont_base,8)) }; +const uint8_t decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES] = { $(ser(mont_base,8)) }; #if COFACTOR==8 || EDDSA_USE_SIGMA_ISOGENY static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL( @@ -47,7 +47,7 @@ const uint8_t API_NS(x_base_point)[X_SER_BYTES] = { $(ser(mont_base,8)) }; /* Sanity */ #if (COFACTOR == 8) && !IMAGINE_TWIST -/* FUTURE: Curve41417 doesn't have these properties. */ +/* FUTURE MAGIC: Curve41417 doesn't have these properties. */ #error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8" #endif @@ -1048,7 +1048,7 @@ decaf_error_t API_NS(direct_scalarmul) ( } void API_NS(point_encode_like_eddsa) ( - uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES], + uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const point_t p ) { @@ -1123,9 +1123,9 @@ void API_NS(point_encode_like_eddsa) ( gf_mul(x,y,z); /* Encode */ - enc[$(C_NS)_EDDSA_PRIVATE_BYTES-1] = 0; + enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] = 0; gf_serialize(enc, x, 1); - enc[$(C_NS)_EDDSA_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t); + enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t); decaf_bzero(x,sizeof(x)); decaf_bzero(y,sizeof(y)); @@ -1137,17 +1137,17 @@ void API_NS(point_encode_like_eddsa) ( decaf_error_t API_NS(point_decode_like_eddsa) ( point_t p, - const uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES] + const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES] ) { - uint8_t enc2[$(C_NS)_EDDSA_PUBLIC_BYTES]; + uint8_t enc2[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]; memcpy(enc2,enc,sizeof(enc2)); - mask_t low = ~word_is_zero(enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1] & 0x80); - enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1] &= ~0x80; + mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] & 0x80); + enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] &= ~0x80; mask_t succ = DECAF_TRUE; #if $(gf_bits % 8) == 0 - succ = word_is_zero(enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1]); + succ = word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1]); #endif succ &= gf_deserialize(p->y, enc2, 1); diff --git a/src/per_curve/decaf.tmpl.h b/src/per_curve/decaf.tmpl.h index 8a62340..619baa7 100644 --- a/src/per_curve/decaf.tmpl.h +++ b/src/per_curve/decaf.tmpl.h @@ -38,10 +38,10 @@ typedef struct gf_$(gf_shortname)_s { #define $(C_NS)_INVERT_ELLIGATOR_WHICH_BITS $(ceil_log2(cofactor) + 7 + elligator_onto - ((gf_bits-2) % 8)) /** Number of bytes in an x$(gf_shortname) public key */ -#define X$(gf_shortname)_PUBLIC_BYTES $((gf_bits-1)/8 + 1) +#define DECAF_X$(gf_shortname)_PUBLIC_BYTES $((gf_bits-1)/8 + 1) /** Number of bytes in an x$(gf_shortname) private key */ -#define X$(gf_shortname)_PRIVATE_BYTES $((gf_bits-1)/8 + 1) +#define DECAF_X$(gf_shortname)_PRIVATE_BYTES $((gf_bits-1)/8 + 1) /** Twisted Edwards extended homogeneous coordinates */ typedef struct $(c_ns)_point_s { @@ -384,13 +384,13 @@ decaf_error_t $(c_ns)_direct_scalarmul ( * point is in a small subgroup. */ decaf_error_t decaf_x$(gf_shortname)_direct_scalarmul ( - uint8_t out[X$(gf_shortname)_PUBLIC_BYTES], - const uint8_t base[X$(gf_shortname)_PUBLIC_BYTES], - const uint8_t scalar[X$(gf_shortname)_PRIVATE_BYTES] + uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES], + const uint8_t base[DECAF_X$(gf_shortname)_PUBLIC_BYTES], + const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES] ) API_VIS NONNULL WARN_UNUSED NOINLINE; /** The base point for X$(gf_shortname) Diffie-Hellman */ -extern const uint8_t $(c_ns)_x_base_point[X$(gf_shortname)_PUBLIC_BYTES] API_VIS; +extern const uint8_t decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES] API_VIS; /** * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses @@ -400,8 +400,8 @@ extern const uint8_t $(c_ns)_x_base_point[X$(gf_shortname)_PUBLIC_BYTES] API_VIS * @param [in] scalar The scalar to multiply by. */ void decaf_x$(gf_shortname)_base_scalarmul ( - uint8_t out[X$(gf_shortname)_PUBLIC_BYTES], - const uint8_t scalar[X$(gf_shortname)_PRIVATE_BYTES] + uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES], + const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES] ) API_VIS NONNULL NOINLINE; /* FUTURE: uint8_t $(c_ns)_encode_like_curve$(gf_shortname)) */ diff --git a/src/per_curve/decaf.tmpl.hxx b/src/per_curve/decaf.tmpl.hxx index 08ed20c..87a4acf 100644 --- a/src/per_curve/decaf.tmpl.hxx +++ b/src/per_curve/decaf.tmpl.hxx @@ -316,13 +316,13 @@ public: * Contents of the point are undefined. */ inline decaf_error_t WARN_UNUSED decode_like_eddsa_noexcept ( - const FixedBlock<$(C_NS)_EDDSA_PUBLIC_BYTES> &buffer + const FixedBlock &buffer ) NOEXCEPT { return $(c_ns)_point_decode_like_eddsa(p,buffer.data()); } inline void decode_like_eddsa ( - const FixedBlock<$(C_NS)_EDDSA_PUBLIC_BYTES> &buffer + const FixedBlock &buffer ) throw(CryptoException) { if (DECAF_SUCCESS != decode_like_eddsa_noexcept(buffer)) throw(CryptoException()); } @@ -331,7 +331,7 @@ public: * Encode like EdDSA. FIXME: and multiply by the cofactor... */ inline SecureBuffer encode_like_eddsa() const { - SecureBuffer ret($(C_NS)_EDDSA_PUBLIC_BYTES); + SecureBuffer ret(DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); $(c_ns)_point_encode_like_eddsa(ret.data(),p); return ret; } @@ -624,14 +624,14 @@ public: struct DhLadder { public: /** Bytes in an X$(gf_shortname) public key. */ - static const size_t PUBLIC_BYTES = X$(gf_shortname)_PUBLIC_BYTES; + static const size_t PUBLIC_BYTES = DECAF_X$(gf_shortname)_PUBLIC_BYTES; /** Bytes in an X$(gf_shortname) private key. */ - static const size_t PRIVATE_BYTES = X$(gf_shortname)_PRIVATE_BYTES; + static const size_t PRIVATE_BYTES = DECAF_X$(gf_shortname)_PRIVATE_BYTES; /** Base point for a scalar multiplication. */ static const FixedBlock base_point() NOEXCEPT { - return FixedBlock($(c_ns)_x_base_point); + return FixedBlock(decaf_x$(gf_shortname)_base_point); } /** Generate and return a shared secret with public key. */ diff --git a/src/per_curve/eddsa.tmpl.c b/src/per_curve/eddsa.tmpl.c index 7805897..11cf52f 100644 --- a/src/per_curve/eddsa.tmpl.c +++ b/src/per_curve/eddsa.tmpl.c @@ -19,22 +19,28 @@ #define hash_destroy decaf_$(eddsa_hash)_destroy #define hash_hash decaf_$(eddsa_hash)_hash -#define SUPPORTS_CONTEXTS $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#define SUPPORTS_CONTEXTS DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS #define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso) #define COFACTOR $(cofactor) +/* EDDSA_BASE_POINT_RATIO = 1 or 2 + * Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d, + * its base point is twice ours. + */ +#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) + static void clamp ( - uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES] + uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES] ) { /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; uint8_t hibit = (1<<$(gf_bits % 8))>>1; if (hibit == 0) { - secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] = 0; - secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 2] |= 0x80; + secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] = 0; + secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 2] |= 0x80; } else { - secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] &= hibit-1; - secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] |= hibit; + secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] &= hibit-1; + secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] |= hibit; } } @@ -61,18 +67,18 @@ static void hash_init_with_dom( #endif } -void API_NS(eddsa_derive_public_key) ( - uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES], - const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES] +void decaf_eddsa_$(gf_shortname)_derive_public_key ( + uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES] ) { /* only this much used for keygen */ - uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]; hash_hash( secret_scalar_ser, sizeof(secret_scalar_ser), privkey, - $(C_NS)_EDDSA_PRIVATE_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES ); clamp(secret_scalar_ser); @@ -80,7 +86,7 @@ void API_NS(eddsa_derive_public_key) ( API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser)); /* TODO: write documentation for why (due to isogenies) this needs to be quartered/eighthed */ - for (unsigned int c = 1; c < COFACTOR/(1+EDDSA_USE_SIGMA_ISOGENY); c <<= 1) { + for (unsigned int c = 1; c < COFACTOR/EDDSA_BASE_POINT_RATIO; c <<= 1) { API_NS(scalar_halve)(secret_scalar,secret_scalar); } @@ -95,10 +101,10 @@ void API_NS(eddsa_derive_public_key) ( decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser)); } -void API_NS(eddsa_sign) ( - uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES], - const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES], - const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES], +void decaf_eddsa_$(gf_shortname)_sign ( + uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed @@ -116,14 +122,14 @@ void API_NS(eddsa_sign) ( { /* Schedule the secret key */ struct { - uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES]; - uint8_t seed[$(C_NS)_EDDSA_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]; + uint8_t seed[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]; } __attribute__((packed)) expanded; hash_hash( (uint8_t *)&expanded, sizeof(expanded), privkey, - $(C_NS)_EDDSA_PRIVATE_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES ); clamp(expanded.secret_scalar_ser); API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser)); @@ -138,18 +144,18 @@ void API_NS(eddsa_sign) ( /* Decode the nonce */ API_NS(scalar_t) nonce_scalar; { - uint8_t nonce[2*$(C_NS)_EDDSA_PRIVATE_BYTES]; + uint8_t nonce[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]; hash_final(hash,nonce,sizeof(nonce)); API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce)); decaf_bzero(nonce, sizeof(nonce)); } - uint8_t nonce_point[$(C_NS)_EDDSA_PUBLIC_BYTES] = {0}; + uint8_t nonce_point[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES] = {0}; { /* Scalarmul to create the nonce-point */ API_NS(scalar_t) nonce_scalar_2; API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar); - for (unsigned int c = 2; c < COFACTOR/(1+EDDSA_USE_SIGMA_ISOGENY); c <<= 1) { + for (unsigned int c = 2; c < COFACTOR/EDDSA_BASE_POINT_RATIO; c <<= 1) { API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2); } @@ -165,9 +171,9 @@ void API_NS(eddsa_sign) ( /* Compute the challenge */ hash_init_with_dom(hash,prehashed,context,context_len); hash_update(hash,nonce_point,sizeof(nonce_point)); - hash_update(hash,pubkey,$(C_NS)_EDDSA_PUBLIC_BYTES); + hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); hash_update(hash,message,message_len); - uint8_t challenge[2*$(C_NS)_EDDSA_PRIVATE_BYTES]; + uint8_t challenge[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]; hash_final(hash,challenge,sizeof(challenge)); hash_destroy(hash); API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge)); @@ -177,9 +183,9 @@ void API_NS(eddsa_sign) ( API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar); API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar); - decaf_bzero(signature,$(C_NS)_EDDSA_SIGNATURE_BYTES); + decaf_bzero(signature,DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES); memcpy(signature,nonce_point,sizeof(nonce_point)); - API_NS(scalar_encode)(&signature[$(C_NS)_EDDSA_PUBLIC_BYTES],challenge_scalar); + API_NS(scalar_encode)(&signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],challenge_scalar); API_NS(scalar_destroy)(secret_scalar); API_NS(scalar_destroy)(nonce_scalar); @@ -187,9 +193,9 @@ void API_NS(eddsa_sign) ( } -decaf_error_t API_NS(eddsa_verify) ( - const uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES], - const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES], +decaf_error_t decaf_eddsa_$(gf_shortname)_verify ( + const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed @@ -214,10 +220,10 @@ decaf_error_t API_NS(eddsa_verify) ( /* Compute the challenge */ hash_ctx_t hash; hash_init_with_dom(hash,prehashed,context,context_len); - hash_update(hash,signature,$(C_NS)_EDDSA_PUBLIC_BYTES); - hash_update(hash,pubkey,$(C_NS)_EDDSA_PUBLIC_BYTES); + hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); + hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES); hash_update(hash,message,message_len); - uint8_t challenge[2*$(C_NS)_EDDSA_PRIVATE_BYTES]; + uint8_t challenge[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]; hash_final(hash,challenge,sizeof(challenge)); hash_destroy(hash); API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge)); @@ -228,10 +234,10 @@ decaf_error_t API_NS(eddsa_verify) ( API_NS(scalar_t) response_scalar; API_NS(scalar_decode_long)( response_scalar, - &signature[$(C_NS)_EDDSA_PUBLIC_BYTES], - $(C_NS)_EDDSA_PRIVATE_BYTES + &signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES ); -#if EDDSA_USE_SIGMA_ISOGENY +#if EDDSA_BASE_POINT_RATIO == 2 API_NS(scalar_add)(response_scalar,response_scalar,response_scalar); #endif diff --git a/src/per_curve/eddsa.tmpl.h b/src/per_curve/eddsa.tmpl.h index 8a52684..2d15182 100644 --- a/src/per_curve/eddsa.tmpl.h +++ b/src/per_curve/eddsa.tmpl.h @@ -7,16 +7,16 @@ extern "C" { #endif /** Number of bytes in an EdDSA public key. */ -#define $(C_NS)_EDDSA_PUBLIC_BYTES $((gf_bits)/8 + 1) +#define DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES $((gf_bits)/8 + 1) /** Number of bytes in an EdDSA private key. */ -#define $(C_NS)_EDDSA_PRIVATE_BYTES $(C_NS)_EDDSA_PUBLIC_BYTES +#define DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES /** Number of bytes in an EdDSA private key. */ -#define $(C_NS)_EDDSA_SIGNATURE_BYTES ($(C_NS)_EDDSA_PUBLIC_BYTES + $(C_NS)_EDDSA_PRIVATE_BYTES) +#define DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES (DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES) /** Does EdDSA support contexts? */ -#define $(C_NS)_EDDSA_SUPPORTS_CONTEXTS $(eddsa_supports_contexts) +#define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts) /** * @brief EdDSA key generation. This function uses a different (non-Decaf) @@ -25,9 +25,9 @@ extern "C" { * @param [out] pubkey The public key. * @param [in] privkey The private key. */ -void $(c_ns)_eddsa_derive_public_key ( - uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES], - const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES] +void decaf_eddsa_$(gf_shortname)_derive_public_key ( + uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], + const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES] ) API_VIS NONNULL NOINLINE; /** @@ -42,14 +42,14 @@ void $(c_ns)_eddsa_derive_public_key ( * @param [in] message_len The length of the message. * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. */ -void $(c_ns)_eddsa_sign ( - uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES], - const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES], - const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES], +void decaf_eddsa_$(gf_shortname)_sign ( + uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , const uint8_t *context, uint8_t context_len #endif @@ -68,13 +68,13 @@ void $(c_ns)_eddsa_sign ( * @param [in] message_len The length of the message. * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. */ -decaf_error_t $(c_ns)_eddsa_verify ( - const uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES], - const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES], +decaf_error_t decaf_eddsa_$(gf_shortname)_verify ( + const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES], + const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , const uint8_t *context, uint8_t context_len #endif @@ -93,7 +93,7 @@ decaf_error_t $(c_ns)_eddsa_verify ( * point doctrine is worked out. */ void $(c_ns)_point_encode_like_eddsa ( - uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES], + uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES], const $(c_ns)_point_t p ) API_VIS NONNULL NOINLINE; @@ -105,7 +105,7 @@ void $(c_ns)_point_encode_like_eddsa ( */ decaf_error_t $(c_ns)_point_decode_like_eddsa ( $(c_ns)_point_t p, - const uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES] + const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES] ) API_VIS NONNULL NOINLINE; #ifdef __cplusplus diff --git a/src/per_curve/eddsa.tmpl.hxx b/src/per_curve/eddsa.tmpl.hxx index 3d0e79d..4180e91 100644 --- a/src/per_curve/eddsa.tmpl.hxx +++ b/src/per_curve/eddsa.tmpl.hxx @@ -52,7 +52,7 @@ typedef class PrivateKeyBase PrivateKeyPh; class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) { public: /** Do we support contexts for signatures? If not, they must always be NULL */ - static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS; + static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS; private: typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super; @@ -113,14 +113,14 @@ public: SecureBuffer out(CRTP::SIG_BYTES); FixedArrayBuffer tmp; ph.final(tmp); - $(c_ns)_eddsa_sign ( + decaf_eddsa_$(gf_shortname)_sign ( out.data(), ((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->pub_.data(), tmp.data(), tmp.size(), 1 -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() #endif @@ -162,14 +162,14 @@ public: } SecureBuffer out(CRTP::SIG_BYTES); - $(c_ns)_eddsa_sign ( + decaf_eddsa_$(gf_shortname)_sign ( out.data(), ((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->pub_.data(), message.data(), message.size(), 0 -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , context.data(), context.size() #endif @@ -205,23 +205,23 @@ private: """) /** The pre-expansion form of the signing key. */ - FixedArrayBuffer<$(C_NS)_EDDSA_PRIVATE_BYTES> priv_; + FixedArrayBuffer priv_; /** The post-expansion public key. */ - FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_; + FixedArrayBuffer pub_; public: /** Underlying group */ typedef $(cxx_ns) Group; /** Signature size. */ - static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES; + static const size_t SIG_BYTES = DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES; /** Serialization size. */ - static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES; + static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES; /** Do we support contexts for signatures? If not, they must always be NULL */ - static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS; + static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS; /** Create but don't initialize */ @@ -235,13 +235,13 @@ public: /** Create at random */ inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) { - $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data()); + decaf_eddsa_$(gf_shortname)_derive_public_key(pub_.data(), priv_.data()); } /** Assignment from string */ inline PrivateKeyBase &operator=(const FixedBlock &b) NOEXCEPT { memcpy(priv_.data(),b.data(),b.size()); - $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data()); + decaf_eddsa_$(gf_shortname)_derive_public_key(pub_.data(), priv_.data()); return *this; } @@ -273,7 +273,7 @@ template class Verification { public: /** Verify a signature, returning DECAF_FAILURE if verification fails */ inline decaf_error_t WARN_UNUSED verify_noexcept ( - const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig, + const FixedBlock &sig, const Block &message, const Block &context = Block(NULL,0) ) const /*NOEXCEPT*/ { @@ -283,13 +283,13 @@ public: return DECAF_FAILURE; } - return $(c_ns)_eddsa_verify ( + return decaf_eddsa_$(gf_shortname)_verify ( sig.data(), ((const CRTP*)this)->pub_.data(), message.data(), message.size(), 0 -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , context.data(), context.size() #endif @@ -305,7 +305,7 @@ public: * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages. */ inline void verify ( - const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig, + const FixedBlock &sig, const Block &message, const Block &context = Block(NULL,0) ) const /*throw(LengthException,CryptoException)*/ { @@ -326,18 +326,18 @@ template class Verification { public: /* Verify a prehash context, and reset the context */ inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept ( - const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig, + const FixedBlock &sig, Prehash &ph ) const /*NOEXCEPT*/ { FixedArrayBuffer m; ph.final(m); - return $(c_ns)_eddsa_verify ( + return decaf_eddsa_$(gf_shortname)_verify ( sig.data(), ((const CRTP*)this)->pub_.data(), m.data(), m.size(), 1 -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() #endif @@ -346,18 +346,18 @@ public: /* Verify a prehash context, and reset the context */ inline void verify_prehashed ( - const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig, + const FixedBlock &sig, Prehash &ph ) const /*throw(CryptoException)*/ { FixedArrayBuffer m; ph.final(m); - if (DECAF_SUCCESS != $(c_ns)_eddsa_verify ( + if (DECAF_SUCCESS != decaf_eddsa_$(gf_shortname)_verify ( sig.data(), ((const CRTP*)this)->pub_.data(), m.data(), m.size(), 1 -#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS +#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS , ph.context_.data(), ph.context_.size() #endif @@ -368,7 +368,7 @@ public: /* Verify a message using the prehasher */ inline void verify_with_prehash ( - const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig, + const FixedBlock &sig, const Block &message, const Block &context = Block(NULL,0) ) const /*throw(LengthException,CryptoException)*/ { @@ -409,7 +409,7 @@ private: private: /** The pre-expansion form of the signature */ - FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_; + FixedArrayBuffer pub_; public: /* PERF FUTURE: Pre-cached decoding? Precomputed table?? */ @@ -418,13 +418,13 @@ public: typedef $(cxx_ns) Group; /** Signature size. */ - static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES; + static const size_t SIG_BYTES = DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES; /** Serialization size. */ - static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES; + static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES; /** Do we support contexts for signatures? If not, they must always be NULL */ - static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS; + static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS; /** Create but don't initialize */